News reports today are characterising an attack against the Sony PlayStation Network (PSN) and Sony Entertainment Online (SOE) as “another hack” or “Sony hacked again“. However, according to a blog post from Sony’s SVP and Chief Information Security Officer, that simply isn’t the case.
The attack against PSN accounts belonging to Sony subscribers went like this… Person or persons unknown, built or obtained a database of username and password pairs which they attempted to use to log into the PSN and SOE. The “overwhelming majority” of access attempts using these pairs of credentials failed, in fact less than 0.1% were successful. For this reason Sony suspect that the credentials used were not stolen from Sony directly, either now or in past intrusions. The database in question was most probably email and password pairs that have been obtained elsewhere but were being used in a brute force attack against Sony, in the knowledge that users have the unfortunate habit of reusing passwords across multiple services.
When Sony detected this irregular activity against its servers it immediately locked out all of the affected accounts and is informing the affected users that they need to change their passwords. Only a small fraction of that 0.1% showed evidence of irregular activity before Sony locked them down, meaning that the damage was successfully contained.
In reality this story should not be characterised as a failure over at Sony, but rather a success. Through their own monitoring systems they detected anomalous behaviour, acted quickly to contain the damage and locked out the accounts affected. They are also obliging the affected users to change their service passwords to better secure themselves in the future. Of course given the past intrusion at Sony, there is every possibility that the data does relate to that stolen from Sony earlier but also indicates that the mass password reset policy it instituted after the event served to render the majority of that data unusable.
After all it is not, as Sony have learned to their cost, whether you get attacked that is important, it’s how you deal with it. The lesson for Sony customers is not that Sony hasn’t learned lessons, it is rather that we as users still have some important lessons to learn.
It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember
As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.